Hackers up the ante for small-business data security
getting a lot trickier for small-business owners to keep customers' credit card
information safe from criminals. Still, there are steps you can take. They're
not free, but if you consider the damage a security breach can inflict on your
business, they're usually a worthwhile investment.
need look no further than the headlines to see how widespread data security
problems have become. In the autumn of 2012, thieves reportedly hacked the
point-of-sale systems at 63 Barnes & Noble stores in nine states, leading
to an FBI investigation. The bookseller turned off all
7,000 keypads in its stores and found that only one keypad in each store had
been hacked. Nevertheless, the company removed all 7,000 of them.
long after that, the Israel-based firm Seculert identified a type of malware
called Dexter, which steals customer data from retailers' POS systems. It hit
check-outs in 40 countries, with hotels, shops, restaurants and parking
providers all affected, according to Seculert.
Small business =
big business might seem like the most lucrative target for fraudsters, small companies
are particularly vulnerable, say experts. Often, owners are so busy running day-to-day
operations that they skimp on security measures -- until it's too late.
tend to think security and data breaches are not their problem, because they're
too small," says Julie Conroy, director of research at Aite Group, a
Boston-based research and advisory firm. "What we've seen is that the organized
criminal rings are focused very heavily on the smaller merchants," she says.
Verizon's 2012 Data Breach Investigations Report, which
covered 2011, found that there were 174 million compromised records around the
globe, the second highest total since the report was launched in 2004 -- after
hitting a record low of just 4 million in 2010. Verizon bases the report on the
results of paid forensic investigations it has done into various types of
hacking, including attacks involving POS systems.
report attributed the increase in data theft to civil unrest in the US and
abroad, which has led to "hacktivism" aimed at embarrassing corporate victims.
Another reason for the increase has also been a tendency of criminals to automate
high-volume attacks against weaker targets, according to the report.
Cost of crime
price of being victimized can be high. LexisNexis Risk Solutions found in its
2012 "True Cost of Fraud" study that one-third of consumers will change where
they shop if they have been victimized in a fraudulent retail transaction. Merchants
now pay $2.70 in lost and stolen merchandise for every $1 of fraud -- up from
$2.30 in 2011. For small merchants, the costs are steeper: $3.10 for every $1,
up from $2.70 in 2011.
says Conroy, card-issuing banks spot fraud after noticing a pattern of
consumers calling about charges they did not make and detecting that they had all
patronized a particular business. However, spotting such a fraud can take a
while at a small business that doesn't do a high volume of credit card transactions
-- a reality that criminals recognize and exploit by racking up fraudulent
charges quickly. "They will hit hard and they will hit fast," says Conroy.
the bank ultimately traces a breach to a merchant's failure to comply with the
Payment Card Industry Data Security Standard -- a set of industry rules to avoid
fraud -- the merchant can be fined as issuers pass along their losses, she
these fines can put them out of business," says Conroy. "For a small breach, it
will be in the hundreds of thousands of dollars. For a big breach, it will be
in the millions." Some larger breaches have resulted in criminals penetrating
the POS system of multiple stores with the same ownership, magnifying the
losses, she notes.
there is a lot merchants can do to protect themselves from common types of
fraud, such as theft of customer information through POS malware. Verizon's report
notes that most of the breaches it covered were preventable.
the most basic level, retailers should make sure that when they hire an
integrator to install their POS system, that the installer changes the default
password. It should be something unique, not the stock password that the installer
uses with all of his customers, says Chris Pogue, director of incident response at Trustwave's
SpiderLabs, a Chicago-based ethical hacking firm that helps clients avoid criminal
attacks. "The easiest way to do that is change your password," he says.
Other key steps are changing
the port for remote administration tools such as LogMeIn that are used by the
vendor who services the network -- and using a firewall to restrict access to
the network, according to a white paper from Trustwave. Disabling access and requiring
a vendor to get permission to use it when needed can also prevent breaches that
might occur if access were open all the time, says Trustwave.
Security as deterrent
Determined hackers may
be able to get around passwords, but many won't bother. "The attackers
are smart," says Pogue. "They have quotas just like anyone else does. They have
to compromise a certain number of systems. If they've got to fiddle and futz
around with yours and the guy next door isn't doing anything, they're going to
leave you alone and go to the guy next door."
many merchants, the most cost-effective preventive measure is using the POS security
system that their card issuer offers, says Conroy. Some, like Visa, offer end-to-end
encryption, which encrypts customers' data during a swipe and decrypts it at
its destination. It's often possible to pay a small monthly fee to add this
service to an account, says Conroy.
also important for merchants to keep their POS software up to date, says Jerry
Irvine, chief information officer of Schaumberg, Ill.-based consultancy
Prescient Solutions, and member of the
National Cyber Security Task Force. "[Updates and patches] are things that
companies put out to keep viruses and hacking from occurring," he says. While
many retailers like the convenience of wireless networks, it's best to avoid
using them to connect a POS system if you can, Irvine advises.
who use a PC-based terminal should avoid using it for email, which can carry
malware. Likewise, make sure that employees do not use it to surf the web, say
experts. "Separate it from the computers used in the store," says Walter
Pearce, principal security researcher at the cyber security firm Casaba in
Redmond, Wash. He says it should be secured 24/7.
also important to make sure that devices haven't been inserted into card
readers to steal customer information. You can feel for the devices yourself or
have a trusted worker do it. "Have your employees put their hand in the part
you put your credit card in," advises Irvine. "Does it have any extra plastic?"
Often, it's a good idea to sign up for a service contract from your POS system
vendor so that someone who is knowledgeable about swiping devices can inspect
them regularly, says Pearce.
with self-checkout stations can be especially vulnerable because cashiers may
not be keeping an eye on them. In 2011, more than 20 Lucky stores in California
were victimized in a skimming scheme in which devices were inserted into
self-checkout stations. At the time, the chain announced that the devices
grabbed information from both customers and employees and that money had been
stolen from some of their accounts, according to published reports.
The enemy within
most basic security begins with the people you think you know. Make sure that
cashiers scan cards in the presence of customers, so that rogue employees can't
surreptitiously scan cards on their own devices and steal the data, Irvine adds.
"Internal theft and hacking is always the most prevalent," he says.
prevent breaches, Pearce recommends using security cameras to monitor computers
and other devices in a POS system -- particularly after hours. An unscrupulous
janitor who has access to the premises when no one is around might otherwise be
able to add a device to a credit card terminal undetected, he notes.
criminals have gotten so bold that they have impersonated computer service
teams to enter stores in broad daylight. It's important to ask questions if
repair personnel you don't know make an unexpected visit, notes Conroy.
"Employees need to be aware of people who come into their store to service
their machines," she says. "They need to be asking for credentials." That may
seem extreme but given the potential cost of fraud, experts say steps like this
are well worth it.
See related: Convenience fees: When is it OK to charge extra to use a credit card?
, Credit card surcharges now allowed
Published: March 14, 2013
Three most recent Merchant accounts stories: